{"id":108,"date":"2024-09-03T07:00:00","date_gmt":"2024-09-03T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=108"},"modified":"2024-09-03T07:00:00","modified_gmt":"2024-09-03T07:00:00","slug":"how-to-ensure-cybersecurity-strategies-align-with-the-companys-risk-tolerance","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=108","title":{"rendered":"How to ensure cybersecurity strategies align with the company\u2019s risk tolerance"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Aligning an organization\u2019s appetite for risk with cybersecurity strategies is a critical challenge CISOs face, one that requires balancing technical controls and business needs. Achieving that balance demands a capacity to adapt to changing risk environments. But as the CrowdStrike outage<\/a> showed, well-prepared systems can encounter unforeseen issues, highlighting why cybersecurity strategies need to consider the broader implications of the organization\u2019s risk tolerance.<\/p>\n

In many cases, it requires direction from the board, but this is by no means a given. While managing organizational risk falls squarely within the purview of the board, 85% of CISOs believe the board should offer clear guidance on organization\u2019s risk tolerance for them to act on, according to the IANS State of the CISO 2024 Benchmark Report<\/a>. However, just 36% are being given this direction, despite regular, recurring board access offering CISOs more confidence in alignment between the company\u2019s risk profile and the security mandate.<\/p>\n

\u201cThe people who have more face time and stronger relationships with the board and executive leadership have a sense of where the organization is in terms of risk and what it takes to build a good security program,\u201d says Wolfgang Goerlich, CISO at Oakland County and IANS faculty member.<\/p>\n

When CISOs are left out of board-level conversations, the opposite is true. \u201cThe further we are from the executive conversations, the less dialed in the risk tolerance can be and the less business focused our treatment plans can be,\u201d Goerlich says.<\/p>\n

Without regular board engagement, CISOs need to adopt a different strategy and guide the conversation, lay down the parameters and take feedback on their programs, according to Goerlich. He argues that peers can provide important risk tolerance signals. \u201cI don\u2019t think your primary goal should be \u2018How do I get more board time?\u2019 It should be \u2018How do I better understand the 360-degree relationships I have to make sure my risk tolerance decisions and the risk scenarios I\u2019m putting forward echo and make sense to my peers?\u2019\u201d<\/p>\n

Risk tolerance versus risk appetite<\/h2>\n

The essence of the question is \u2018How much risk are we willing to take on?\u2019 and the answer is in quantifying risk tolerance and distinguishing it from risk appetite. \u201cRisk appetite can be highly variable, it can vary among board members and understanding it tends to be very much about intuition on the part of the CISO,\u201d Goerlich says.<\/p>\n

On the other hand, risk tolerance needs to be a guided discussion around a particular objective or a risk scenario, where a CISO can develop a hypothesis. \u201cIf you can be explicit, if you can describe it well, then you can really have a good conversation to get everyone on the same page as to what that risk is and what you need to do about it.\u201d<\/p>\n

The recommendation is for CISOs to consider the potential organizational ramifications and wider public outrage of an incident and avoid trying to get board members to give guidance on the technical detail. \u201cUnless they are a technical board member, they\u2019re looking to us as CISOs to really understand and control that,\u201d says Goerlich.<\/p>\n

The risk conversation<\/h2>\n

To lead the risk conversation and work towards alignment, CISOs need to quantify cyber risk and develop mature risk reporting practices, according to Mary Carmichael, director of strategy, risk, and compliance advisory at Momentum Technology. Carmichael, who as a member of ISACA\u2019s CRISC certification committee, is at the forefront of developing risk frameworks, says using data from industry sources like the IBM cost of data breach report<\/a> helps in understanding the probability and potential impact of cyber risks. \u201cThis is crucial for sectors like healthcare and education, which are often under-invested in cybersecurity.\u201d<\/p>\n

Organizations need to improve their understanding of risk, particularly as the board is ultimately accountable for risk oversight, which they may delegate authority to management. \u201cManagement, not just the CISO, is responsible for understanding the potential risks to operations and working with the CISO on control requirements,\u201d Carmichael says.<\/p>\n

Proper risk assessments and strategic planning are essential for aligning risk tolerance with business objectives. There needs to be more education about what risk management is, who owns the risk and having risk assessments built into the strategic planning process, according to Carmichael. This should include scenario analysis to assess the financial impact of cyber incidents. Risk scenarios help estimate potential losses from cyber incidents, including evaluating reputational, financial, and operational impacts to present to executive leadership.<\/p>\n

Organizations need to war-game cyber incidents, from external attacks to internal threats, drawing on news and recent breaches to understand and mitigate emerging risks.<\/p>\n

Admittedly, there\u2019s always the prospect of a black swan event that no one\u2019s really expecting or is fully prepared for. A case in point is the CrowdStrike event, triggered by an update gone wrong that had a worldwide impact. \u201cWho would have expected CrowdStrike to bring down 10 million computers worldwide and create a global outage?\u201d Carmichael says.<\/p>\n

Nonetheless, it serves as a reminder for CISOs that these events change organizational risk tolerance and going forward they may need to include strategies for complete digital destruction scenarios, whether it\u2019s a direct cyber-attack or a system outage brought on by a third-party. \u201cSimulate complete system outages to test recovery plans and prioritize critical systems, and see if, worst case scenario, you\u2019re able to [at] least recover from backups,\u201d she says.<\/p>\n

Risk and information security committees for sound planning<\/h2>\n

One way for CISOs to align cybersecurity strategies with organizational risk tolerance is strategic involvement across the organization. \u201cBy forming risk committees and engaging in business discussions, CISOs can better understand and address the risks associated with new technologies and initiatives, and support the organization\u2019s overall strategy,\u201d Carmichael says.<\/p>\n

An information security committee is vital to this mission, according to Carl Grifka, MD of SingerLewak LLP, an advisory firm that specializes in risk and cybersecurity. \u201cThere needs to be a regular assessment of not just the cybersecurity environment, but also the risk tolerance and risk appetite, which is going to drive the controls that we\u2019re going to put in place,\u201d Grifka tells CSO.<\/p>\n

The committee operates as a cross-functional team that brings together different members of the business, including the executive, IT, security and maybe even a board representative on a more regular basis. Organizations low on the maturity level probably need to meet every couple of weeks, especially if they\u2019re in a remediation phase and working to reduce gaps in the security posture. \u201cThe committee becomes that apparatus you can use to communicate as you go,\u201d Grifka says.<\/p>\n

For those higher on the maturity level, having a committee in place provides a mechanism for review and response to the changing risk landscape. \u201cIt should be regularly reporting on the state of information security within the organization,\u201d Grifka says.<\/p>\n

With a large and growing list of responsibilities and short tenure, it can be challenging for CISOs to know the business deeply. The committee is a useful forum to help CISOs understand what\u2019s going on across the organization. \u201cIdeally they should really have the pulse of the business,\u201d Grifka says.<\/p>\n

To help make the task less daunting, actively building relationships with other business leaders will help CISOs come to grips with what\u2019s happening and build trust. \u201cHaving that rapport, hopefully they\u2019ll pick up the phone to say \u2018hey, we\u2019re thinking of doing this\u2019 and the CISO gets to know about it,\u201d Grifka adds. \u201cOther business leaders should feel comfortable to engage you in those water cooler moments.\u201d<\/p>\n

Next comes the maturity assessment<\/h2>\n

By understanding the business deeply, it\u2019s easier to translate its risk tolerance into the security posture. Doing so requires a mature framework and not accepting more risk than you\u2019re willing to as an organization. \u00a0<\/p>\n

It starts with maturity level assessments, mapping controls against industry frameworks and defining the level of maturity the organization desires and then translating that into the specific controls. \u201cYou shouldn\u2019t be spending to put in significantly more controls than you need because that would then reduce efficiency and add additional cost,\u201d Grifka says.<\/p>\n

Finding the balance is necessary, but it\u2019s by no means a static set-and-forget position. \u201cIt needs to be dynamic because what makes sense today might not make sense two years from now, and so the process needs to be regularly adjusted,\u201d he says.<\/p>\n

How CISOs can help the organizational growth through collaboration<\/h2>\n

A cyber risk is a business risk and it needs to be addressed with IT control. One of the challenges, however, is that CISOs must come to grips with the meaning of these risks. The risk isn\u2019t the unpatched vulnerability, it\u2019s the ramifications of the risk to the business, Goerlich tells CSO. \u201cOur ability as security leaders to elevate the risk scenario and lead the conversation around tolerance is predicated on us putting that risk within the business context and the product we\u2019re selling.\u201d<\/p>\n

Goerlich suggests that your knowledge as a CISO plays a part in coming to grips with this, whereby those CISOs with a GRC<\/a> background tend to be better at tying the security risk to business risk because they understand the compliance obligations, while those from a SecOps path may struggle more.<\/p>\n

Nonetheless, CISOs need to be conscious of the business operating environment and draw on appropriate metrics to illustrate how risk is being managed. The goal is to show the risk is coming down and the CISO has implemented a treatment plan that works. To do this effectively, CISOs will need stronger business acumen, according to the IANS report, and increasingly this includes offering constructive ways to support risk as a business opportunity. \u201cThat business acumen is understanding the business ramifications of the risk, not the technical underpinnings,\u201d Goerlich says.<\/p>\n

However, Goerlich believes \u2018positive risk\u2019 is something that security leaders have found very difficult to identify and capitalize on. \u201cIn part, it\u2019s because the downsides of cyber are so great and the upside is nothing bad happened,\u201d says Goerlich. He encourages CISOs to develop stronger partnerships with other technical leaders to understand business objectives and identify the associated risks. This includes partnering with the CIO or the CTO to find ways to accomplish something because it can be a tricky path to go on your own.<\/p>\n

For too long, CISOs and cybersecurity teams have been known as the department that says \u2018no\u2019 and for being very risk averse, says Carmichael. But if business is all about seizing opportunities, growth means embracing and managing risk, whether it\u2019s in the form of new technologies like AI and IoT, new applications, expanding into new markets or acquiring new businesses.<\/p>\n

To shake off this reputation, CISOs and cybersecurity leaders need to constructively support the organization in its growth plans. \u201cPart of the CISO\u2019s remit now is how do we make sure the business is protected while moving these initiatives forward,\u201d Carmichael says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Aligning an organization\u2019s appetite for risk with cybersecurity strategies is a critical challenge CISOs face, one that requires balancing technical controls and business needs. Achieving that balance demands a capacity to adapt to changing risk environments. But as the CrowdStrike outage showed, well-prepared systems can encounter unforeseen issues, highlighting why cybersecurity strategies need to consider […]<\/p>\n","protected":false},"author":1,"featured_media":109,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-108","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/108"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=108"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/108\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/109"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}